Skip to main content
Red Canary help

FAQ: Vmware Carbon Black

  • Updated .

What if I observe high CPU performance on a Windows endpoint? 

You would typically see these types of things on some of the following types of servers:

  • Domain controllers
  • DHCP/DNS servers
  • Exchange servers
  • An application server that would require this type of lookup

You can observe this behavior by pulling up “Task Manager,” where you may find that the (cb.exe) has a higher percentage of the available CPU.

To resolve this issue you need to add the following registry entry and restart the server: 

[HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config]
"DisableNetConnNameResolution"=dword:00000001

What do I do if I have installed the sensor but the endpoint does not show up in Red Canary or my Vmware Carbon Black EDR instance?

You can run through several steps to troubleshoot network connectivity:

  1. Ensure cb.exe is running (visible to administrators via Task Manager) and the “Carbon Black Sensor” service shows as “Running” in the Services list.
  2. Ensure that nothing is blocking communications to the VMware server at https://cb.demo.my.redcanary.co:443 .
    1. There may be a firewall (either host-based or network-based), web filter/proxy, etc. that is preventing SSL communications outbound to the Cb server.
    2. DNS resolution must also be properly functioning on the system so the Cb server URL can be resolved to the appropriate IP address.
  3. Visit the above URL using a web browser on the non-reporting system.
    1. You may see an initial error related to the self-signed cert, but if you proceed through the error, you will see a Cb login screen if the traffic was permitted.
    2. If you don’t see any response at all, this is likely due to a traffic block.
  4.  If the above doesn’t help, rebooting is worth a try, if business operations allow.

There is a known issue where Windows XP/2003 systems sometimes need to be rebooted after sensor installation, but this does not apply to Windows 7/2008 and above.

How can I fix duplicate sensor IDs?

The easiest way for a Windows system to get a new sensorID without reinstalling is to change a registry setting:

  1. Open up Services and stop the Cb sensor service.
  2. Open up regedit.
  3. Open the key /HKEY_LOCAL_MACHINE/SOFTWARE/CarbonBlack/config/.
  4. Open up SensorID and change the value to 0.
  5. Start the Cb sensor service.

What are the Networking requirements for VMware Carbon Black?

When you deploy Carbon Black Cloud Enterprise EDR sensors, you want to know all of the associated network requirements so that your sensors will communicate properly and behave as expected.

The following documentation includes all the allowlist domains and IPs necessary to deliver telemetry to Red Canary:

Comments

0 comments

Please sign in to leave a comment.